Web Application Firewall (WAF)
The Web Application Firewall protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The WAF supports all know techniques like the OWASP core rule sets, many application based rule sets, a huge amount of commercial rules, known IP blacklists, source IP rate limiting, SSL encryption and much more.
High performance by clustered proxy
The WAF is based on a clustered reverse proxy with SSL termination included to offer extreme high performance filtering. By forwarding all data traffic and interacting with the user it’s server. Any IP subnet on the internet can be used, therefore it’s the also possible to use the WAF for websites which are hosted at AWS, Azure, Google or any other cloud service on the internet. The web proxy will hide the webserver its public IP by routing all traffic through different public servers and addresses. Therefore an attacker is unable to attack the webserver IP directly.
The WAF is able to understand the HTTP/S application and the data that it is protecting. By uploading your SSL certificate the encrypted data will be decrypted and the WAF is able to inspect and filter what’s inside.
Application based rule sets
Users can enable many application specific rules, covering vulnerability classes for applications such as Microsoft SharePoint, WordPress, cPanel, osCommerce, Joomla, cPanel, Drupal, vBulletin and a few hundred more!
OWASP Core Rule Set support
The OWASP ModSecurity Top 10 Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The Serverius WAF support many common attack categories like including SQL Injection (SQLi), Cross Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), Remote Code Execution (RCE), PHP Code Injection.
Add your personal WAF rules
In some cases you need to create business specific security policies. Custom security rules let you create a personalized security policy in an optimal manner, giving you the flexibility to tighten security policies for your hosted web applications.
Request method filtering
This feature allows you to block and allow request types. If you for instance have a website on which you will never need a PUT request you can disable it altogether. It is also possible to use the whitelist mode so you will only allow specific request types.
Debugging pages for diagnosing issues of WAF rules
When adding your manual created rules the diagnostic tooling can be enabled. This will provide information about how the WAF will process your WAF rules. For example, you can see (and test) why your rule is not blocking your request.
Flood & request method control
The WAF allows you to white or blacklist all request methods like GET, POST, HEAD, DELETE, CONNECT, TRACE and set your Flood control request limit per source IP.
White label: using your own private IP subnets
The WAF can be used with Serverius IP space or Serverius name servers or your private IP space. This unique functionality allow ISP an cloud providers to use the Web Application Firewall and DDoS protection as a white label service.
Virtual patching integration
On top of the default OWASP 2017 core rules, the WAF provide more than 14,000 specific rules in attack categories like SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include, etc. We auto-apply the patch automatically, allowing you to update your applications on your schedule instead of being to late to with patching.
Full featured rest API
The WAF can be completely administered by the IPC web interface and/or via APIs. This provides organizations with the ability to create and maintain rules automatically and incorporate them into the development and design process. For example, a developer who has detailed knowledge of the web application could create a security rule as part of the deployment process. This capability to incorporate security into your development process avoids the need for complex hand offs between application and security teams to make sure rules are kept up to date.